Now that fortunately more and more hosters are offering Let's Encrypt™ certificates, i.e. free SSL, it's time to take a closer look at the initiative behind this SSL for everyone. What exactly does Let's Encrypt do? Why are the certificates free? What can Let's Encrypt already do and where is there still some catching up to do? We discuss these and other questions in this background article.
Encryption of data traffic is increasingly becoming the standard in the network. Fortunately! Since we also integrated Let's Encrypt about a year ago, it makes sense to take a closer look at the project.
Let's Encrypt is a relatively young certification authority (the beta started in 2015) for SSL certificates - also known as a Certification Authority (CA). The initiative has created an automated process through which SSL certificates are issued. These show users that they are on the "real" website and that the data traffic between the browser and web server is encrypted.
What is Let's Encrypt?
The key principles of Let's Encrypt are:
- Free: Anyone with a domain name can use Let's Encrypt. In addition, Let's Encrypt certificates are free of charge.
- Automatic: Software runs on a web server and can obtain certificates with Let's Encrypt, be secured for use and automatically renew certificates.
- Secure: Let's Encrypt provides a platform for advanced TLS security, both on the CA side and at the operating company, to help them secure the server.
- Transparent: All issued and revoked Let's Encrypt certificates are publicly accessible to everyone.
- Open: The automatic issue and renewal protocol is published as open so that others can adapt it.
- Cooperative: Similar to the underlying Internet protocols themselves, Let's Encrypt is a collaborative effort that benefits the community.
What is Let's Encrypt actually?
Yes, Let's Encrypt certificates are really free of charge
The most pressing question first: Is Let's Encrypt really free? To make a long story short: Yes, neither the certificates nor the required programs cost money. For many people, however, this question is not motivated by purely economic considerations, but primarily by the question of why Let's Encrypt is free. In other words, why a product that other organizations previously had to pay for is suddenly being offered free of charge.
Non-profit status and sponsors make Let's Encrypt free of charge
Let's Encrypt is a non-profit project and hardly has to pay any staff. In addition, the majority of processes are automated. This eliminates a major financial burden. The required hardware is also largely covered by the cooperation with the Linux Foundation. All other costs are covered by sponsorship and donations.
Anyone can donate any amount of money to the organization via Paypal. A sponsorship system has been created for larger sums and organizations. The most expensive package costs $350,000, smaller companies can participate for amounts between $10,000 and $50,000 - depending on the number of people employed.
What are the goals of Let's Encrypt?
Not only economic considerations play a role in this context, but also the question of the organizers' motives. On the one hand, there is the altruistic argument: HTTPS should become the standard on the Internet and all website operators worldwide should be able to adapt their own website to this easily and free of charge.
It's time for encrypted communications to be the default on the web and Let's Encrypt is going to make it happen. - Let's Encrypt
The second important motivation is the desire to create equality on the web. After all, the presence of an SSL certificate has now become a ranking criterion for Google. And if certain websites either cannot afford the certificates or do not have access to them, this excludes these sites - and therefore certain people and their WordPress projects - from participating on the internet.
We provide certificates free of charge, because cost excludes people. Our certificates are available in every country in the world, because the secure Web is for everyone. - Let's Encrypt
The idea of fairness and equality thus seems to be the central element of Let's Encrypt's efforts.
Let's Encrypt is supported by many industry giants
In addition to the official sponsors, which include big names such as Mozilla, Cisco, Chrome and Facebook, companies from the WordPress sector are also among the supporters of the Let's Encrypt project. For example, Automattic or wpbeginner. These companies and organizations in particular are a perfect fit for Let's Encrypt due to their WordPress-specific view of the Internet and their motivation.
Incidentally, Automattic is a silver sponsor, which means annual costs of $50,000. Automattic has distinguished itself above all through its standard integration of Let's Encrypt certificates for sites hosted on WordPress.com.
Let's Encrypt is the project, the organizational structures are much larger
Let's Encrypt itself is merely the certification service, i.e. the authority that issues the certificates. However, the overall organizational construct is much larger. The parent organization of Let's Encrypt is the Internet Security Research Group (ISRG) based in San Francisco. The board of this non-profit organization includes scientists, company representatives and representatives of foundations and other non-profit organizations.
At least two other institutions are also important in connection with Let's Encrypt. One is the Electronic Frontier Foundation (EFF ), which has been supporting Certbot, the certification software for creating Let's Encrypt certificates, since May 2016. Secondly, the Linux Foundation, which provides the technical infrastructure for Let's Encrypt via its Collaborative Projects program.
In total, several teams from non-profit organizations support Let's Encrypt and the corresponding infrastructure.
The greatest strength of Let's Encrypt is its ease of use
The three greatest strengths of Let's Encrypt are certainly that the certificates are free, that Let's Encrypt and the required software are constantly being developed and improved, and that setting up the certificates is relatively simple.
We have already discussed the aspect of free certificates. However, Let's Encrypt is also constantly being developed further. Finally, the certificates are also quite easy to set up for anyone with the appropriate skills and access rights. Even learning the necessary steps is not necessarily difficult. All you need to do is use Certbot and add the relevant additional modules to the web server. Certificates can then be set up and renewed.
The biggest weakness of Let's Encrypt is compatibility
Currently, the range of certificates is very manageable with just one certificate. This will not change in the future, as the extended validations required for OV or EV certificates cannot be automated and also cost money. However, it is precisely automation that makes Let's Encrypt certificates free of charge. Extended validations are therefore currently difficult to reconcile with the basic idea of Let's Encrypt, even if there have been initial ideas on how validation could be outsourced to the community, for example. To our knowledge, however, plans for the introduction of extended validations have not yet been pursued.
Although the certificates are not difficult for professionals to integrate, for non-professionals, or for people with limited access to their web server, it can take an unnecessarily long time to adapt the server configuration for the Certbot, order the certificates, integrate them and renew them regularly. In particular, the duration of a Let's Encrypt SSL certificate is considerably shorter than that of a "normal" certificate. Let's Encrypt certificates must be renewed every 90 days. A classic SSL certificate, on the other hand, is valid for 12, 24 or even 36 months and generally requires no technical maintenance during this period.
In the event of problems, you are also completely on your own and cannot make use of Let's Encrypt's support services. However, there is an extensive community support forum. In the early days, the compatibility of the free SSL certificates with various browsers was also a problem. However, all major browsers can now handle the certificates. Problems only occur with outdated software.
So if you don't have the necessary skills, integrating a certificate yourself, including testing, troubleshooting and correcting errors, can be significantly more expensive than buying an SSL certificate. However, this is now more of a theoretical problem. This is because many hosters either support a simple one-click installation of certificates or offer free basic certificates from other certification authorities.
Conclusion: Let's Encrypt has a noble goal that should be supported
According to its own statements, Let's Encrypt wants to make the internet safer and faster, especially for users who previously had no access to SSL certificates. For professional website operators, Let's Encrypt primarily has a cost, trust and SEO advantage, even if only for domain validations. It is doubtful whether extended validations will also be offered in the foreseeable future - assuming the automation problem cannot be solved.
However, using the certificates not only provides free encryption - and for some people a deeper understanding of security on the Internet - but also indirectly supports the good cause behind Let's Encrypt. We have integrated Let's Encrypt primarily because we believe in the benefits of the project. Although the certificates are free, their use is not free, but hopefully a contribution to a new security standard on the Internet.
Your questions about Let's Encrypt
Featured image: Unsplash
Hello Johann,
I am not aware of any differences in performance and SEO. Otherwise, there are definitely levels of authentication, see for example https://www.digicert.com/de/difference-between-dv-ov-and-ev-ssl-certificates